One realisation from the publishing of the recent security incidents Spectre and Meltdown was that modern CPUs may contain additional security design flaws. According to an exclusive report published by German magazine CT additional eight vulnerabilities have been discovered, one of them potentially more dangerous than the initial Spectre and Meltdown vulnerabilities.
All eight vulnerabilities have already received official CVE numbers, but due to security considerations no further information has been publicly disclosed yet. Currently they are simply referred to as spectre next-generation and affect again CPUs from Intel and most likely from ARM as well. ARM did not comment while Intel has released a statement saying "Protecting our customer's data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details and any potential issues as we finalise mitigations. As a best practice, we continue to encourage everyone to keep the systems up-to-date". Currently it's unclear if AMD CPUs are affected as well, the chip maker stated that they are looking into the matter and they will share information as appropriate.
Four months after the revelation of the Spectre - variant two vulnerabilities there is still no evidence of a functioning exploit that exists in the wild, but one of the newly discovered security vulnerabilities could be potentially more dangerous. It seems to allow for less complex attacks across system boundaries, which makes it particularly dangerous for all cloud and shared hosting environments. Last time we have received restart notices for AWS EC2 para virtualised instances a couple of weeks before the public disclosure, these are notably absent at the moment.
According to the report Intel as well as the manufacturers of the operating systems are currently working on patches, it is expected that a combination of microcode and operating system patches are necessary to fix the vulnerability. The first wave of patches is already expected in May, ideally on the first Windows patch day on 8 May.
We will continue to publish further information as the story unfolds and provide recommendations on how to protect your company and mitigate the risk associated with the vulnerabilities.
Share this Post
Get in touch with us and we help you stay secure